''I have arranged a seminar on Wednesday 18 Jan 2012 from Tobias from OWASP London Chapter from 19:00 to 20:15 at HK Polytechnic University room P305. I would like to invite OWASP, PISAM, ISOC-HK, HK Software Exploitation and VXRL fellows to attend to it:

In the recent months major trusted CAs providing trusted certificates for SSL/TLS in browser scenarios were compromised (e.g. seen in the Diginotar breach) and based on the current trust models (trusting all registered CAs equally for all domains) exposed vital web applications to the risk of man-in-the-middle attacks.

+

Several approaches are currently discussed to mitigate this risk. The most advanced and closest to final adoption being the technologies discussed by the browser vendors at the recent IETF meeting in November in Taipei: HSTS and pinning of certificates.

+

To better protect content providers against the distribution of bogus certificates, an HTTP header extension containing a fingerprint of their certificates linked to a domain address has been defined.

+

This approach, which has been partly tested in Chrome, and already helped identify and protect to some extend Google's web application in the recent Diginotar compromise. Chrome users were able to detect the bogus DigiNotar certificates because Chrome had embedded the hashes of valid Google certificates. Back in July, the hacked DigiNotar certificate authority (CA), which has since gone out of business, was used to issue more than five hundred bogus certificates for companies including Google and various intelligence services.

+

+

The presented technology is cutting edge and although the specification is not final yet, it will be rolled-out in about 6 months time. Two other models that compete or complement this approach will also be discussed (DNSSEC and Moxie's Convergence).

OWASP Hong Kong

Participation

OWASP Foundation (Overview Slides) is a professional association of global members and is and open to anyone interested in learning more about software security. Local chapters are run independently and guided by the Chapter_Leader_Handbook. As a 501(c)(3) non-profit professional association your support and sponsorship of any meeting venue and/or refreshments is tax-deductible. Financial contributions should only be made online using the authorized online chapter donation button. To be a SPEAKER at ANY OWASP Chapter in the world simply review the speaker agreement and then contact the local chapter leader with details of what OWASP PROJECT, independent research or related software security topic you would like to present on.

Sponsorship/Membership

The Hong Kong chapter was formed in December 2004. The objectives to establish OWASP Hong Kong Chapter are mainly because:
-There are many web applications established in past 10 years. However, how many developers know that their developed application are secure. Meanwhile, there are many transactional-based systems, we should not ignore that the web application is another channel for hackers to compromise one's confidential information and interrupt any critical business operations.

- Raise the security awareness of web application development among the professionals.

- Encourage professionals to reference standard like ISO7799 for their web application security and post-deployment review as well as audit.

- Accelerate to Share, learn, discuss and review best practices of the experienced web application development security professionals even across various user groups (Java User Group and .NET User Group ) and security associations (i.e. PISA) in Hong Kong.

From left to right: James Tsao, Anthony Lai, David Walker, Richard Stagg, Marco Leung and Gary Kung

News from Hong Kong Chapter

I have arranged a seminar on Wednesday 18 Jan 2012 from Tobias from OWASP London Chapter from 19:00 to 20:15 at HK Polytechnic University room P305. I would like to invite OWASP, PISAM, ISOC-HK, HK Software Exploitation and VXRL fellows to attend to it:

Description:
This is cutting edge and will talk about new technologies that will be coming up in
the coming months to counter risks that became apparent from the
current trust model used in browsers with hundreds of equally trusted
CAs and its vulnerability to a breach of a single individual CA.

In the recent months major trusted CAs providing trusted certificates for SSL/TLS in browser scenarios were compromised (e.g. seen in the Diginotar breach) and based on the current trust models (trusting all registered CAs equally for all domains) exposed vital web applications to the risk of man-in-the-middle attacks.
Several approaches are currently discussed to mitigate this risk. The most advanced and closest to final adoption being the technologies discussed by the browser vendors at the recent IETF meeting in November in Taipei: HSTS and pinning of certificates.
To better protect content providers against the distribution of bogus certificates, an HTTP header extension containing a fingerprint of their certificates linked to a domain address has been defined.
This approach, which has been partly tested in Chrome, and already helped identify and protect to some extend Google's web application in the recent Diginotar compromise. Chrome users were able to detect the bogus DigiNotar certificates because Chrome had embedded the hashes of valid Google certificates. Back in July, the hacked DigiNotar certificate authority (CA), which has since gone out of business, was used to issue more than five hundred bogus certificates for companies including Google and various intelligence services.

The presented technology is cutting edge and although the specification is not final yet, it will be rolled-out in about 6 months time. Two other models that compete or complement this approach will also be discussed (DNSSEC and Moxie's Convergence).

NEW!!!! Software Exploitation - It is about reverse engineering and exploit

I feel very honorable to invite Nguyen NAM to provide 2-day workshop on software exploit and reverse engineering. In fact, we met in OWASP Appsec Conference 2008 at Taipei and his team has won CTF (Capture The Flag) in Hack In The Box (HITB) 2008. It is really a valuable chance to have him to be in Hong Kong and this workshop is normally charged at 1000 USD per head. Meanwhile, there is NO such kind of workshop held in Hong Kong. Please reach me at anthonylai@owasp.org for reservation.

Status - 16 Dec 2008 : The speaker will arrive on 19 Dec and please bring USB storage more than 8GB to copy the VM for practice later on)
Please act fast to reserve it first and the current reservation is 30. The class size is expected to be at most 35.

Payment Method:

1) Send the payment to: Hang Seng Bank, 390-031367-888 and then send back the receipt to anthonation@gmail.com and anthonylai@owasp.org

Seats are limited and expected lab size at most 40. The current reservation is 24 (Last updated: 3 Dec 2008)

Summary
This course is a primer into software exploitation on the Linux environment.
The course assumes only basic understanding of the Linux commands, and C
programming with the standard library. It explains the computer
architecture, assembly language then moves on to three basic classes of
security bug: buffer overflow, format string, and race condition and methods
to take advantage of them. Throughout the course, various examples are
introduced with increasing difficulty so that participants will naturally
realize the art of software exploitation for themselves.

This course does not discuss about shell coding. Except on one example where
provided shell code is used as an illustration, all other challenges require
only good analysis and calculation.

The course is conducted as a workshop with heavy interaction between
participants and instructor. There will not be any presentation slide.
Participants are to take note during the course.

Audience

Software developers, system administrators, security engineers \with some
experience in Linux and C programming. It is good to prepare a candidate to
join for Capture The Flag (CTF) event.

Table of Contents

1. Computer architecture

2. Assembly language

3. Buffer overflow

4. Format string

5. Race condition

6. Techniques

a. Overwrite critical variable

b. Overwrite return address

c. Return to .text

d. Return to libc

e. Overwrite .dtors

f. Overwrite .got

g. Overwrite .bss, functors

h. By pass Advanced Space Layout Randomization

7. Tools of the trade: IDA, GDB, and Python

8. Sharing of CTF in HITB

Workshop Specifics
As we have got a lab. An VM image will be provided.

Speaker Biography
Nam Nguyen is currently the principal security consultant with Blue
Moon Consulting Co., Ltd. He started poking at binaries when he
couldn't finish Dune 2 and has since spent more than a decade reverse
engineering and understanding how stuffs work.
Nam is a CISSP, a core member of the VNSecurity group, and a chapter
lead of OWASP Vietnam. His interests include code construction and
destruction, decompilation and Python.